Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.

"The incident has nothing to do with Operating System or development methodology (open or closed).

The take away is that sloppy software projects, with a non-existent security process will sooner or later get compromised and serve their customers poisoned goods. Could happen anywhere, irrespective of platform or chosen software licensing."

I would like to add, it's not a perfect system, their are humans involved, they make mistakes.

But at the end of the day, you are putting software together from different sources. They should probably be contained as much as possible, also from each other.

And maybe you automate this a bit more and I hope we can improve on it. But eventually it will originate from a human being. A programmer. The Linux-kernel programmers use git to keep track of the origin of every single line of code that goes in to the kernel and every line is reviewed.

If we verify everything along the way into the distributions and the tools check the packages and files at (regularly and) at installation time, then that is probably the best thing we can do.